diff --git a/CHANGES b/CHANGES
index 54858ea180..63483835ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,13 @@
 
+2.0-beta-28 | 2011-11-14 20:09:28 -0800
+
+  * Binary packaging script tweaks. We now require CMake 2.8.6. (Jon Siwek)
+
+  * More default "weird" tuning for the "SYN_with_data" notice. (Seth
+    Hall)
+
+  * Tiny bugfix for http file extraction along with test. (Seth Hall)
+    
 2.0-beta-21 | 2011-11-06 19:27:22 -0800
 
   * Quickstart doc fixes. (Jon Siwek)
diff --git a/VERSION b/VERSION
index c7a306b6f3..ebffe616f6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.0-beta-21
+2.0-beta-28
diff --git a/aux/broctl b/aux/broctl
index 288c8568d7..6fb4e5689d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 288c8568d7aaa38cf7c05833c133a91cbadbfce4
+Subproject commit 6fb4e5689d2ae0d1c4ab7af0a8df80e6eaa98fb6
diff --git a/pkg/check-cmake b/pkg/check-cmake
index 2c3ed765a6..17531af2f7 100755
--- a/pkg/check-cmake
+++ b/pkg/check-cmake
@@ -5,7 +5,7 @@
 # version of CMake is required to obtain consistency, but can be increased
 # as new versions of CMake come out that also produce working packages.
 
-CMAKE_PACK_REQ="cmake version 2.8.4"
+CMAKE_PACK_REQ="cmake version 2.8.6"
 CMAKE_VER=`cmake -version`
 
 if [ "${CMAKE_VER}" != "${CMAKE_PACK_REQ}" ]; then
diff --git a/pkg/make-deb-packages b/pkg/make-deb-packages
index a9de210e52..432de8336a 100755
--- a/pkg/make-deb-packages
+++ b/pkg/make-deb-packages
@@ -27,21 +27,21 @@ cd ..
 
 # Minimum Bro
 ./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
-            --pkg-name-prefix=Bro --binary-package
+            --pkg-name-prefix=Bro-minimal --binary-package
 ( cd build && make package )
 
 # Full Bro package
-./configure --prefix=${prefix} --pkg-name-prefix=Bro-all --binary-package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
 ( cd build && make package )
 
 # Broccoli
 cd aux/broccoli
 ./configure --prefix=${prefix} --binary-package
-( cd build && make package && mv Broccoli*.deb ../../../build/ )
+( cd build && make package && mv *.deb ../../../build/ )
 cd ../..
 
 # Broctl
 cd aux/broctl
 ./configure --prefix=${prefix} --binary-package
-( cd build && make package && mv Broctl*.deb ../../../build/ )
+( cd build && make package && mv *.deb ../../../build/ )
 cd ../..
diff --git a/pkg/make-mac-packages b/pkg/make-mac-packages
index a8f7f965c8..829a64ca25 100755
--- a/pkg/make-mac-packages
+++ b/pkg/make-mac-packages
@@ -35,25 +35,25 @@ cd ..
 
 # Minimum Bro
 CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
-    --disable-broccoli --disable-broctl --pkg-name-prefix=Bro \
+    --disable-broccoli --disable-broctl --pkg-name-prefix=Bro-minimal \
     --binary-package
 ( cd build && make package )
 
 # Full Bro package
 CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
-    --pkg-name-prefix=Bro-all --binary-package
+    --pkg-name-prefix=Bro --binary-package
 ( cd build && make package )
 
 # Broccoli
 cd aux/broccoli
 CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
     --binary-package
-( cd build && make package && mv Broccoli*.dmg ../../../build/ )
+( cd build && make package && mv *.dmg ../../../build/ )
 cd ../..
 
 # Broctl
 cd aux/broctl
 CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
     --binary-package
-( cd build && make package && mv Broctl*.dmg ../../../build/ )
+( cd build && make package && mv *.dmg ../../../build/ )
 cd ../..
diff --git a/pkg/make-rpm-packages b/pkg/make-rpm-packages
index ac8dfa97b4..9560cc80ff 100755
--- a/pkg/make-rpm-packages
+++ b/pkg/make-rpm-packages
@@ -20,21 +20,21 @@ cd ..
 
 # Minimum Bro
 ./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
-            --pkg-name-prefix=Bro --binary-package
+            --pkg-name-prefix=Bro-minimal --binary-package
 ( cd build && make package )
 
 # Full Bro package
-./configure --prefix=${prefix} --pkg-name-prefix=Bro-all --binary-package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
 ( cd build && make package )
 
 # Broccoli
 cd aux/broccoli
 ./configure --prefix=${prefix} --binary-package
-( cd build && make package && mv Broccoli*.rpm ../../../build/ )
+( cd build && make package && mv *.rpm ../../../build/ )
 cd ../..
 
 # Broctl
 cd aux/broctl
 ./configure --prefix=${prefix} --binary-package
-( cd build && make package && mv Broctl*.rpm ../../../build/ )
+( cd build && make package && mv *.rpm ../../../build/ )
 cd ../..
diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index 2303c97fbc..379409532c 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -174,7 +174,7 @@ export {
 		["SYN_after_reset"]                     = ACTION_LOG,
 		["SYN_inside_connection"]               = ACTION_LOG,
 		["SYN_seq_jump"]                        = ACTION_LOG,
-		["SYN_with_data"]                       = ACTION_LOG,
+		["SYN_with_data"]                       = ACTION_LOG_PER_ORIG,
 		["TCP_christmas"]                       = ACTION_LOG,
 		["truncated_ARP"]                       = ACTION_LOG,
 		["truncated_NTP"]                       = ACTION_LOG,
diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro
index d36d95e475..ffb925ae28 100644
--- a/scripts/base/protocols/http/file-extract.bro
+++ b/scripts/base/protocols/http/file-extract.bro
@@ -33,7 +33,8 @@ export {
 event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
 	{
 	# Client body extraction is not currently supported in this script.
-	if ( is_orig || ! c$http$first_chunk ) return;
+	if ( is_orig )
+		return;
 	
 	if ( c$http$first_chunk )
 		{
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
new file mode 100644
index 0000000000..73c369dd14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
@@ -0,0 +1,304 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+"http://www.w3.org/TR/REC-html40/loose.dtd">
+<HEAD><TITLE>ICIR</TITLE></HEAD>
+<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">
+<img src=icir.gif alt="ICIR"><br>
+<p>
+ICIR (The ICSI Center for Internet Research)
+is a 
+non-profit
+research institute at
+<a href="http://www.icsi.berkeley.edu">ICSI</a>
+in 
+<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, 
+California.<br>
+For the three years from 1999 to 2001 we were named
+ACIRI, the AT&T Center for Internet Research at ICSI, 
+and were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>
+
+The goals of ICIR are to:
+<ul>
+<li>Pursue research on the Internet architecture and related networking issues,
+<li>
+Participate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and
+standards (<a href="http://www.ietf.org/">IETF</a>) communities,
+<li> Bridge the gap between the Internet research community and commercial 
+interests by providing a neutral forum where topics of mutual technical 
+interest can be addressed.
+</ul>
+<p>
+<!--
+ICIR is now 
+<a href="jobs.html">
+hiring</a> for both postdoctoral positions and summer interns.
+-->
+<hr>
+
+<DIV ALIGN="CENTER">
+
+<table width="100%" cellspacing=16 cellpadding=0>
+
+<tr>
+<td width="35%" valign=top>
+
+<h2>
+People
+</h2>
+<ul>
+<li>
+<a href="./shenker/">
+Scott Shenker</a>, Group Leader<br> 
+<li><a href="http://www.icir.org/mallman/">Mark Allman</a>
+<li>
+<a href="./floyd/">Sally Floyd</a>
+<!--
+<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>
+-->
+<li>
+<a href="./karp/papers.html">
+Richard Karp</a>  
+<!-- (also with the 
+<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, 
+<a href="http://www.msri.org/">MSRI</a>, and
+<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->
+<li>
+<a href="./vern/">
+Vern Paxson</a>  
+<li>
+<a href="http://www.icir.org/robin/">
+Robin Sommer</a>
+<li>
+<a href="http://www.cs.berkeley.edu/~nweaver/">
+Nicholas Weaver</a>
+<li>
+<a href="http://www.icsi.berkeley.edu/~zhao/">
+Jerry Zhao</a>
+<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->
+<li><b><a href="pastvisitors.html">Past Group Members</a></b>,
+<br>including:
+<ul>
+<li>
+<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">
+Mark Handley</a> (UCL)
+<li><a href="./kohler/">Eddie Kohler</a> (UCLA)
+</ul>
+<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>
+Researchers</b>:
+  <ul>
+  <li><a href="./jcardona/">Javier Cardona</a>
+  <li><a href="./atanu/">Atanu Ghosh</a> 
+  <li><a href="./hodson/">Orion Hodson</a>
+  <li><a href="./pavlin/">Pavlin Radoslavov</a> 
+  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>
+  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>
+</ul>
+<li><b>Affiliated UCB Researchers</b>:
+  <ul>
+  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>
+  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>
+  </ul>
+<li><b>Visitors</b>:
+  <ul>
+  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>
+<!--
+  from Shanghai Jiaotong University
+-->
+  <li>Teemu Koponen
+<!--
+  , Helsinki Institute for Information Technology
+-->
+  </ul>
+<!--
+<li><a href="pastvisitors.html">Other researchers</a>
+-->
+<a name=Visitors></a>
+<li><b>Interns:</b>
+<ul>
+<li>Juan Caballero
+<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>
+<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>
+<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>
+<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>
+<li>Halldor Isak Gylfason
+<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>
+<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>
+<!--
+<li><a href="newinterns.html">New Interns:</a> 
+-->
+</ul>
+<li><b>Undergraduate Interns:</b>
+<ul>
+<li>Michael Hoisie
+<li>Arthur Wayne Liao
+<li>Christopher Portka
+</ul>
+<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>
+</ul>
+
+</td>
+<td width="30%" valign=top>
+
+<h2>
+Publications
+</h2>
+<ul>
+<li><a href="./rfcs.html">
+RFCs</a> with ICIR authors.
+<li>
+<a href="./internetdrafts.html">
+Internet drafts</a> with ICIR authors, 3/2004 
+(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>
+the current list).
+<!--
+for "Shenker OR Floyd OR Allman OR Paxson".
+(or the 
+<a
+href="
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)
+
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).
+-->
+<!--
+from the 
+<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">
+Internet-Drafts Search Engine</a>).
+-->
+<li>Papers by 
+<a href="./shenker/papers.html">Scott Shenker</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),
+
+<a href="./mallman/papers/">Mark Allman</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),
+
+<a href="./floyd/papers.html">Sally Floyd</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),
+
+<a href="./karp/papers.html">Richard Karp</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),
+<a href="./kohler/pubs/">Eddie Kohler</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),
+<a href="./vern/papers.html">Vern Paxson</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).
+<li>The <a href="http://citeseer.ist.psu.edu/">
+ResearchIndex</a> (RI) and the 
+<a href="http://citeseer.ist.psu.edu/cs">Search</a>
+and 
+<a href="http://citeseer.ist.psu.edu/Networking/">
+Networking</a> pages. 
+</ul>
+
+<h2>
+Projects 
+</h2>
+<ul>
+<li>
+<a href="./vern/bro-info.html">Bro</a>
+(detecting network intruders). 
+<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:
+Future-Generation Internet Architecture.
+<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>
+network simulator.
+<li> <a href="./tbit/">TBIT</a>
+(TCP Behavior Identification Tool).
+<li> <a href="http://www.xorp.org/">Xorp</a>
+(Extensible Open Router Platform).
+<li>
+<a href="./funded_projects.html">
+Other Funded Projects</a>.
+<li>
+<a href="./research.html">
+Additional Research Links</a>.
+</ul>
+
+
+</td>
+
+<td width="35%" valign=top>
+    
+<h2>Research</h2>
+&nbsp; &nbsp;<b>Transport and Congestion</b>
+<ul>
+<li>
+<a href="./kohler/dcp/">DCCP</a>
+(Datagram Congestion Control Protocol).
+<li>
+<a href="./floyd/ecn.html">ECN</a>
+(Explicit Congestion Notification).
+<li>
+<a href="http://www.ietf.org/html.charters/intserv-charter.html">
+Integrated services</a>.
+<li>
+<a href="./floyd/red.html">RED</a> 
+queue management, and
+<a href="./red-pd/">RED-PD</a>.
+<li>
+<a href="./floyd/hstcp.html">HighSpeed TCP</a>.
+<li>
+<a
+href="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">
+TCP Implementation</a>.
+<li>
+Reordering-Robust TCP 
+(<a href="./bkarp/RR-TCP/">RR-TCP</a>).
+<li>TCP
+<a href="./floyd/sacks.html">SACK</a> 
+(Selective Acknowledgment).
+<li>
+<a href="./tfrc/">TFRC</a> 
+(TCP-Friendly Rate Control).
+</ul>
+
+&nbsp; &nbsp;<b>Traffic and Topology</b>
+<ul>
+<LI>
+<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> 
+(Internet Distance Mapping).
+<LI>The <a href="http://www.acm.org/sigcomm/ITA/">
+Internet Traffic Archive</a>.
+<li>
+<a href="http://www-net.cs.umass.edu/minc/">MINC</a>
+(Multicast-based Inference of Network-internal Characteristics).
+<li>
+<a href="http://www.psc.edu/networking/nimi/">NIMI</a>
+(National Internet Measurement Infrastructure).
+</ul>
+
+<h2>
+<a href="./collaborators.html">
+Collaborators</a>
+</h2>
+
+<!--
+&nbsp; &nbsp;<b>Multicast and Multimedia</b>
+<ul>
+<LI><A href="/malloc/">MALLOC</a>
+(Multicast Address Allocation).
+<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>
+(Session Initiation Protocol).
+<li> <a href="yoid"> Yoid</a> (host-based content distribution). 
+</ul>
+-->
+
+</td>
+
+</tr>
+</table>
+</DIV>
+
+<hr>
+<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>
+<hr>
+Last modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.
+<a href="http://web.archive.org/web/*/http://www.aciri.org/">
+Older versions</a> of this web page, in its ACIRI incarnation..
+<BR>
+For more information about this server, mail <I>www@aciri.org</I>.  
+<BR>
+To report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.
+</BODY>
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
new file mode 100644
index 0000000000..386eaf8901
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
@@ -0,0 +1,5 @@
+#separator \x09
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table	string	string	table	string	string	file
+1128727435.634189	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	-	-	-	-	text/html	-	http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
new file mode 100644
index 0000000000..4338cddb47
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
+
+redef HTTP::extract_file_types += /text\/html/;
\ No newline at end of file